C++ | Adding workload to a existing thread from a injected DLL

Question

in my project i injected a DLL(64-bit Windows 10) in to a external process with Manual-map & Thread-hijacking and i do some stuff in there.

In current state i use "RtlCreateUserThread" to create a new thread and do some extra workload in there to distribute it for better performance.

My question is now... Is it possible to access other threads from the current process (hijack it) and add your own workload/code there. Without creating a new thread?

I didn't found anything helpful yet in the internet and the code i used and modified for Thread-hijacking seems to only work for a DLL file. Because i am pretty new to C++ i am still learning i am already thankful for any help.

(If you want to see the source for injector Google GHInjector your find the library on github.)

Answer 1

It is possible, but so complicated and may not work in all cases. You need to splice existing thread's machine codes, so you will need write access to code page memory. Logic:

1. find thread id and thread handle, then suspend thread with SuspendThread WINAPI call
2. suspended thread can be in wait state or in system DLL call now, so you need to analyze current execution stack, backtrace it and find execution address from application space. You need API functions StackWalk, and PDB files in some cases. Also it depends on running architecture (x86, amd64, ...). Walk through stack until your EIP/RIP will not be in application memory address space
3. decode machine instruction (it will be 'call') and splice next instructions to your function call. You need to use __declspec(naked) declared function or ASM implemented one for execute your code and replaced instructions.
4. ResumeThread

This method may work only once because no guarantees that application code is executed in loop.